Real world sflow vs netflow?

Mon Sep 24 21:25:47 UTC 2012

On Mon, Sep 24, 2012 at 11:52:28AM -0700, Peter Phaal wrote:
> On Mon, Sep 24, 2012 at 11:19 AM, Joe Loiacono <jloiacon at csc.com> wrote:
> > OK, Well I guess I was thinking sFlow was primarily a switch oriented
> > technology versus on a layer-3 peering router.
> 
> The sFlow technology is a good fit for any device that performs a
> packet forwarding function (including routers) and the sFlow.org web
> site maintains a list of switches and routers that implement the
> technology,

Minus a whole pile of babble from people who don't actually know what a 
router vs layer 3 switch is...The difference at this point is mostly that 
NetFlow has provisions to allow exporting all data about an ENTIRE flow, 
whereas sFlow is designed to only take statistical samples for overall 
traffic analysis. Tracking an entire flow is much harder, it requires 
keeping state on the router, so if you only care about overall traffic 
analysis sampling is just fine.

Originally sFlow introduced features like raw packet export (including 
layer 2 headers), and extensible formatting, which NetFlow later copied 
with v9 and v10/IPFIX. At this point they're "mostly" on the same footing 
technically, though sFlow does have a "counter export" feature which is 
essentially a "push" version of polling SNMP IF-MIB counters. Only Cisco 
and Juniper are still trying to push NetFlow though, sFlow has been 
adopted by nearly ehter other vendor at this point. Even some Juniper 
products, like EX (which is really Marvell ASICs with a JUNOS wrapper), 
support sFlow only.

-- 
Richard A Steenbergen <ras at e-gerbil.net>       http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)